Big ISPs Unite Behind E-Mail Identity; No Consensus on Protocol

The top Internet service providers urged further testing yesterday of e-mail identity technologies and widespread industry adoption of best practices as part of a concerted effort to fight spam.

The Anti-Spam Technical Alliance, a group founded in April 2003 that includes AOL, EarthLink, Microsoft and Yahoo, echoed the Federal Trade Commission's recent endorsement of e-mail authentication as the best vehicle to fight spam. But the alliance did not commit to implementation of either of the dominant e-mail identity proposals or give a timetable for a single standard.

Microsoft, AOL and EarthLink support the combined SPF (Sender Policy Framework)-Caller ID, now called Sender ID, which verifies senders by matching up their IP addresses with their registered servers. Yahoo, however, plans to implement its own solution, DomainKeys, which uses public and private keys to verify the sender's identity and the integrity of the message. Though generally thought more robust than SPF and Sender ID, DomainKeys would require more work to implement, according to industry executives.

The ISPs said they would spend the rest of the year testing the different authentication technologies before deciding on implementation.

The alliance endorsed both methods of e-mail authentication as promising tools to fight "spoofing" -- where spammers hide the origin of their messages by using another domain name -- without setting up an implementation framework. Spoofing is used commonly in so-called phishing schemes, where scammers send messages made to look as if they are from financial institutions to obtain passwords and banking information.

"Implementing these recommendations will significantly enhance the Internet community's ability to trace the source of spam and hold senders accountable for their actions," the policy document reads.

AOL, EarthLink, Microsoft and Yahoo already have taken concerted legal action against spammers, filing six lawsuits in March under the federal CAN-SPAM Act. British Telecom and Comcast also are ASTA members.

Trevor Hughes, executive director of the E-mail Service Provider Coalition, said he viewed the policy recommendations positively.

"There is consensus around domain-based authentication," he said. "As a first step, we need to get domain-based authentication done."

The FTC last week endorsed industry efforts to establish e-mail identity as the most promising way to fight spam. The commission rejected the proposal of a do-not-e-mail registry, saying that without secure e-mail identity, it could not hope to track down violators. The FTC plans to hold an authentication summit in the fall to discuss progress and said it would convene an advisory committee as a preliminary step to implementing a federal solution if the private market fails to devise one.

Microsoft helped move the debate forward last month when it agreed to merge its Caller ID authentication proposal with SPF, the open-source protocol endorsed by AOL and EarthLink. Under the combined protocol, e-mail senders can validate their identity using either method. Over 19,000 domains now publish SPF records and about 20 e-mail sending products support it, according to Meng Weng Wong, the protocol's developer.

Despite the momentum toward SPF, Yahoo plans to forge ahead with DomainKeys instead, leading to the possibility of e-mailers needing to authenticate their messages with two separate systems. Miles Libbey, Yahoo's anti-spam product manager, said Yahoo remained focused on DomainKeys, and testing of both protocols would dictate what should be adopted.

"The results of those tests will help tell us what the rest of the roadmap is," he said.

Both standards are under review by the Internet Engineering Task Force, the standards body for the Internet. AOL has tested SPF since December and will require commercial e-mailers on its white list to publish it by August.

"That's a great motivation for all of us in the industry," said Quinn Jalli, director of ISP relations at Digital Impact, a San Mateo, CA, e-mail service provider, which is in the process of publishing its SPF records.

E-mail service providers like Digital Impact, EmailLabs and Bigfoot Interactive have rushed to publish SPF records, a relatively easy process. Hughes said all ESPC members would have their records published by the end of the year. Commercial e-mailers have been less active at implementing DomainKeys.

"We're in the process of looking at DomainKeys and implementing it," said Michael Della Penna, chief marketing officer at Bigfoot Interactive. "For most folks, it's just a higher level of technological diligence on that front."

Wong said DomainKeys is a good long-term solution, but that SPF has the best chance to make an immediate impact on spam.

"I think what will happen, though, is SPF will roll out first and DomainKeys will roll out second," he said.

ASTA also proposed best practices for e-mail receivers and senders. It urged receiving domains to close open proxies, set rate limits and quarantine computers infected with spam-sending viruses. It also suggested the construction of a centralized database of spam complaint data that ISPs could share. The group said it was working with the task force to develop a common reporting format to share the information among e-mail providers.

David Daniels, an analyst with Jupiter Research, said such sharing made sense, and it would help e-mailers keep their lists clean by providing them with copies of complaints, like AOL often does.

For senders, ASTA warned against practices already made illegal by CAN-SPAM, such as harvesting e-mail addresses and using false headers. The ISPs also suggested commercial e-mailers consider participating in an accreditation service, such as IronPort's Bonded Sender or Habeas.

Such reputation services are thought to be the next step in the spam fight once a secure e-mail identity is established. In May, Microsoft said it would deploy Bonded Sender for MSN and Hotmail users.